lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 30 Sep 2008 17:31:53 -0400
From: Valdis.Kletnieks@...edu
To: degeneracypressure@...il.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [inbox] Re: Supporters urge halt to, hacker's,
	extradition to US

On Tue, 30 Sep 2008 16:30:09 EDT, Eliah Kagan said:
> When a http indexing bot (like those used by Google, for instance)
> comes upon a hyperlink into a page that is http authenticated, does it
> follow the link and try a blank password, or does it not follow the
> link? Is there some accepted standard for that?

The actual (slightly simplified) sequence of events:

1) Software (spider or browser) finds a link.
2) Software tries to follow the link.
3) The server sends back an error code that says "Nope, you need http auth here"
4a) Browser now puts up the box that asks for userid/password.
4b) spider gives up unless it's been configured to know the userid/password (for
instance, if it's a spider internal to the organization).
5) Armed with the proper userid/password, the software then makes a *second*
request for the page.

> Here's another question...suppose someone finds that a Pentagon system
> is open to access and modification by anyone in the world, and then
> that person informs the appropriate governmental authorities rather
> than accessing the system. In response to that information, wouldn't
> the system administrators then **also have to investigate and then,
> regardless of the outcome, flatten and rebuild the system**?

It's *possible* that upon investigation, you can prove the system wasn't in
fact compromised.  For example, if the vulnerability was *known* to have been
created last Tuesday at 10:18AM by a botched software install, and you have
router netflow and firewall logs that show *every* access to the box since
10:18AM Tuesday, then you might be able to definitively say that nothing used
the vulnerability to gain access.  This is usually a *lot* easier than
figuring out what an intruder did once they had free and unfettered access
to the system.

The details, of course, will depend on the nature of the vulnerability,
what sort of logs are kept by the organization, and how long a window has
passed.

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ